[SNOWHITE]

Hi maze7817

Nice job,

1. Double-click avenger.exe on your desktop.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINNT\system32\v7.exe
C:\WINNT\system32\mswsock.bak

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Next,

Please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filename: C:\avenger\backup.zip
• In the comments, please mention that I asked you to upload this file
• Click on Send File

Now delete your current combofix, then download it again from Here to your Desktop and run scan again, post the results in your next post.

And one final scan with Kaspesky

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save Report As... button:
• Under Save as type select Text file write name for the file and save it to your Desktop.
• Locate the file at the Desktop, open it, then copy and paste that information in your next post.

OK, post the contents of the scan reports here, also let me know how is the computer running

[Advertisements]

the trial period for avast! scanner is almost up. what should i do?

[maze7817]

the trial period for avast! scanner is almost up. what should i do?

[SNOWHITE]

the trial period for avast! scanner is almost up. what should i do?

Hi maze7817

avast! is free for use, all you need to do is to go here http://www.avast.com...egistration.php click on this link "I'm a new user and I need a registration key for avast! Home Edition" then read this Before making your registration, please read the following information:, then fill the form bellow, then click on the Register button. They will send message to your email with registration number in few minutes.


Start avast!, click on Registration, a pop up will show up, copy and paste the registration key that they sent before and paste it here, then click OK button.

Remember, the license key is valid for 1 year. In about one year avast will alert you that your license is going to expire, all you need to do is just to re-register for free again.

Now please follow the steps from my post before and post the results here!

[maze7817]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rfrobygd

*******************

Script file located at: \??\C:\WINNT\system32\bjpolqys.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\v7.exe deleted successfully.
File C:\WINNT\system32\mswsock.bak deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[maze7817]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 25, 2007 9:57:39 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/04/2007
Kaspersky Anti-Virus database records: 302174
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 35298
Number of viruses found: 3
Number of infected objects: 22 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:58:09

Infected Object Name / Virus Name / Last Action
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/comio32.dll-ren-1307 Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/d3ui32.dll-ren-1315 Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/dbmio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/dbmmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/dbmmgr32.dll-ren-1319 Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/kbdb32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/kbdb32.dll-ren-1367 Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/msio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/msio32.dll-ren-1369 Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/msmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/vcdb32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip/avenger/vcui32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\avenger\backup-Sun 04.01.2007-16.25.23.18.zip ZIP: infected - 12 skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\cpf.lock Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\cert8.db Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\history.dat Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\key3.db Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\parent.lock Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Allen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temp\~DFD064.tmp Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Allen\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_278.dat Object is locked skipped
C:\WINNT\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\Program Files\Common Files\comio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\_OTMoveIt\MovedFiles\WINNT\msio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\_OTMoveIt\MovedFiles\WINNT\system32\videos-access1336.exe/stream Infected: Trojan.Win32.DNSChanger.io skipped
C:\_OTMoveIt\MovedFiles\WINNT\system32\videos-access1336.exe NSIS: infected - 1 skipped

Scan process completed.

[maze7817]

everything seems to be running pretty smoothly

[SNOWHITE]

Hi maze7817

Glad that your computer is running well now

Did you upload C:\avenger\backup.zip at UploadMalware ? If not please first upload the file and after that proceed with deleting files and folders.

Delete this folders/files:

C:\avenger
C:\Documents and Settings\Allen\Desktop\SmitfraudFix
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe
C:\_OTMoveIt
C:\qoobox\

The following is a list of tools that I recommend to people for better protections and preventing from re-infecting of the computer.

• SpywareBlaster - Helps preventing spyware from installing in the first place.
• SpywareGuard - To catch and block spyware before it can execute.
• IESpy-Ad - Blocks access to malicious websites so you cannot be redirected to them from an infected site or email.
• MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Comodo BOClean - BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine.
• SUPERAntiSpyware Home Edition (free version) – Another effective program for helping remove some of the more difficult infections
• More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

Also see So how did I get infected in the first place?

I will leave this thread open for few days, if you have any questions feel free to ask me!

[maze7817]

thanx! i've uploaded the file as instructed

should i delete any other programs used to clean up my system? also, what about the various logfiles?

[SNOWHITE]

thanx! i've uploaded the file as instructed

should i delete any other programs used to clean up my system? also, what about the various logfiles?

Yes, you can safely remove following tools: SDFix, haxfix, Dr.Web CureIt, FixWareout, WinPFind3U.exe, dss, and combofix, logfiles too. Delete the folders instructed in my post before. I advice you to keep ATF Cleaner it does good job cleaning tracking cookies etc. Also read my prevention speech, you can find there some nice tools like SpywareBlaster and Comodo BOClean!

Regards

[maze7817]

there's a couple other files on the desktop i'm unsure of what to do with:

find.bat
procexp.chm
procexp.exe
fixme.reg
blbeta.exe

should i delete or move these?

Edited by maze7817, 04 May 2007 - 03:49 PM.

[SNOWHITE]

Hello maze7817, sorry for the delay.

If you haven't already, you can safely delete this files: find.bat, fixme.reg, blbeta.exe.
And the other two its up to you, if you are not planning to use Process Explorer in future, then you can also delete the next two files procexp.chm, procexp.exe.

As your malware issue is resolved now i will close your thread.

Best regards,

[SNOWHITE]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.